But after lobbying by the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California, California Assembly Member Bonnie Lowenthal (who represents parts of the Los Angeles area) recently introduced a bill that could extend that concept to the Golden State for the first time. The "Right to Know Act of 2013" (AB 1291) was re-read and amended a second time on Monday.

The Legislative Counsel’s Digest summarizes the bill as it is currently written this way:

This bill would instead require any business that retains a customer’s personal information, as defined, or discloses that information to a third party, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all third parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer. This bill would require that a business subject to these provisions choose one of several specified options to provide the customer with a designated address for use in making a request for copies of information under these provisions.

If a company does not comply, citizens can file a civil suit to force compliance.

California has a history of pushing privacy concepts into law and influencing non-California businesses to comply. For example, the California Online Privacy Protection Act requires websites to prominently describe data collection and use. (Condé Nast, Ars’ parent company, does this even though it is not based in California.)

As the EFF wrote on Tuesday: “Hopefully, as companies put efficient systems into place to enable Californians to learn what is happening to their data, it will be easy for the companies to make those systems available to people outside of California. And like California’s model for data breach notification laws, (first enacted in California in 2002 and now integrated into law in 46 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands), transparency will become the default, helping consumers while saving companies money down the line.”

Promoted Comments

I'm usually pretty iffy (at best) when California wants to pass "unprecedented" laws. But I am 100% for this. We have a right to know anything that has been collected about us, period.

557 posts | registered Nov 29, 2006

Cyrus Farivar
Cyrus is a Senior Tech Policy Reporter at Ars Technica, and is also a radio producer and author. His latest book, Habeas Data, about the legal cases over the last 50 years that have had an outsized impact on surveillance and privacy law in America, is due out in May 2018 from Melville House. Emailcyrus.farivar@arstechnica.com//Twitter@cfarivar

I like it. Which is fairly rare for me to say about California politics.

One thing I'm curious about is if there is some limit on how often; to keep people from effectively DDoSing a company by getting a group of people to request their info daily. Or, could a company hold the request for e.g. 21 days, then serve multiple requests with a single return? (It'd still be better, in my mind, to limit to once per year, 6 months, something like that.)

If your company wasn't based in California, would this law be enforceable? I would not think so, which just means those companies based in California will just "move" their corporate HQ.

I think a lot of laws are applicable if you just have a physical presence. So if your company had an HQ in CA and relocated to elsewhere, but left the office in CA operational, they'd still be subject.

If your company wasn't based in California, would this law be enforceable? I would not think so, which just means those companies based in California will just "move" their corporate HQ.

I think a lot of laws are applicable if you just have a physical presence. So if your company had an HQ in CA and relocated to elsewhere, but left the office in CA operational, they'd still be subject.

And it's a start, at least.

Oh yea I agree completely, I'm just fairly positive the big companies will find a loop hole to weasel through, while smaller companies won't be able to. Then it could become, albeit a minor one, a burden on smaller companies.

I'm usually pretty iffy (at best) when California wants to pass "unprecedented" laws. But I am 100% for this. We have a right to know anything that has been collected about us, period.

I think the wary instincts of the commenters here are correct... there is a similar law in the off-shore European tax haven called Jersey (the Data Protection law) -- but it has been used to prosecute a whistleblower (Stuart Syvret) and actually put him in jail for several months. His crime was disclosing the name of a nurse who had been accused of multiple murders and was trying to be re-instated into the health care business. Of course some of those following his case believe that the true motive of the Jersey authorities was to shut Syvret up about all the child abuse allegations he had been investigating and discussing surrounding the Haut de la Garenne case.

Another prosecution under the law came because someone pulled an email off of a printer that was related to the Syvret case.

In theory, anyone who collects any data, at all, about anyone, has to register with the government and pay a fee. There was even a charity that had to stop doing one of it's holiday gift-basket programs because they were collecting data about who needed food.

In theory, certain activities are exempted, such as journalism, etc. In reality, guess who decides what counts as journalism and what doesn't?

I'm usually pretty iffy (at best) when California wants to pass "unprecedented" laws. But I am 100% for this. We have a right to know anything that has been collected about us, period.

Agreed. This really is long overdue to take hold here and while I may not be overly fond of some other aspects the EU and other European countries have this is one (besides decent internet access for all) where they have a leg up on this.

Now of course it remains to be seen if Facebook and all the others will dig in their heels and fight or if the special interest groups will try and kill this off.

I'm usually pretty iffy (at best) when California wants to pass "unprecedented" laws. But I am 100% for this. We have a right to know anything that has been collected about us, period.

Agreed. This really is long overdue to take hold here and while I may not be overly fond of some other aspects the EU and other European countries have this is one (besides decent internet access for all) where they have a leg up on this.

Now of course it remains to be seen if Facebook and all the others will dig in their heels and fight or if the special interest groups will try and kill this off.

Forget the web companies, the real folks I'd go after with a law like this are the credit reporting agencies.

I don't really care if google or amazon know my shopping habits, but credit data, and how it's used makes a much bigger real-world impact on my life.

I'd also have fun abusing AT&T to figure out how much information they track about which phones I've used.

That said, it's a big challenge to put all this data in a customer-usable fashion for a company. It'd not be cheap to make available either, and if you'd have to pay to get it (like a credit report past the first), then it'd likely be cost prohibitive.

An "Unprecedented law" that has already been established for several years in other legislatures is indeed a rather interesting way to phrase this

Miwa wrote:

That said, it's a big challenge to put all this data in a customer-usable fashion for a company. It'd not be cheap to make available either, and if you'd have to pay to get it (like a credit report past the first), then it'd likely be cost prohibitive.

They only have to provide data they have obviously and since those companies do data warehousing anyhow, it basically comes down to writing some specific queries against that data. Ok so you have to write the queries and you have to provide a few minutes of computation time on their clusters to it, but all in all this really shouldn't be cost prohibitive for larger companies.

But yes going by EU law it's important to emphasize that the data has to be human readable, returning a string of numbers and acronyms without explanation is *not* acceptable (e.g. Deutsche Telekom tried that unsuccessfully). Also the report is free, but you can't DDOS a company by requesting a new report every day, you can only do it once a year or so iirc.

It's a great idea, but getting Apple, Facebook, Google, etc. to actually reveal 100% of what they know about you is never going to happen. It's too much data with too much value. Unless pushed by a court ordered audit the best you're going to get is summaries and the most obvious details.

Smart phones track their owners 24/7/365 and the data is recorded in multiple databases by your carrier, the phone maker, the push notification providers and analytics companies. It's all "anonymous" until you create an ID within an app or sign into GooglePlay and then you're a real person with real data that can be associated with location and behaviour data.

Strong privacy laws are good, but the the best way to stop companies from tracking us to let them know that you find targeted advertising offensive and refuse to purchase goods or services offered through targeted ads. If there was no money to be made from stalking us they might stop doing it.

Unfortunately targeted advertising works and many people welcome ads for products they might be interested in. Such behaviour encourages companies to find even more ways to track everything we do.

Because, quite simply put, a lot of the stored data is completely useless to read because it isn't in a format that is at all useful to anything but a machine. It costs money to find and shove out the content, it opens up people to identity theft if someone requests "their" data and is actually trying to get someone else's. It allows people like Max Schrems to waste a huge amount of time and money for the company to go hunting for stuff, and claim "But my rights!11111" when it is pointed out that this is their purpose.

I'm usually pretty iffy (at best) when California wants to pass "unprecedented" laws. But I am 100% for this. We have a right to know anything that has been collected about us, period.

Agreed. This really is long overdue to take hold here and while I may not be overly fond of some other aspects the EU and other European countries have this is one (besides decent internet access for all) where they have a leg up on this.

Now of course it remains to be seen if Facebook and all the others will dig in their heels and fight or if the special interest groups will try and kill this off.

It allows people like Max Schrems to waste a huge amount of time and money for the company to go hunting for stuff.

Its just nonsense.

Why is it a waste of money? The companies are obviously making money collecting the data. It's not unreasonable to ask them to spend some money formatting it for and supplying it to the source of their income, their users. It's a cost of doing business. If it costs more than they can earn by collecting the data then they can stop collecting it and find a new business model. Anyway, the only reason Facebook had to work so hard to collect Schrems's data, if in fact it did have to work hard, is because they don't have built-in functionality to produce a record of the data. If something like this law passes, they can build collection and delivery into their software stack easily enough.

It's a great idea, but getting Apple, Facebook, Google, etc. to actually reveal 100% of what they know about you is never going to happen. It's too much data with too much value. Unless pushed by a court ordered audit the best you're going to get is summaries and the most obvious details.

Smart phones track their owners 24/7/365 and the data is recorded in multiple databases by your carrier, the phone maker, the push notification providers and analytics companies. It's all "anonymous" until you create an ID within an app or sign into GooglePlay and then you're a real person with real data that can be associated with location and behaviour data.

Strong privacy laws are good, but the the best way to stop companies from tracking us to let them know that you find targeted advertising offensive and refuse to purchase goods or services offered through targeted ads. If there was no money to be made from stalking us they might stop doing it.

Unfortunately targeted advertising works and many people welcome ads for products they might be interested in. Such behaviour encourages companies to find even more ways to track everything we do.

Strange that you would include Apple with the likes of Google and Facebook when those two companies wouldn't exist if it were not for people's personal data. That is certainly not the case for Apple.

In 1986, then-Assemblywoman Gwen Moore, chairwoman of the Utilities & Commerce Act, introduced the Personal Information Integrity Act, which essentially made the same requirements of information holders as does the current bill, except that it made it mandatory for all information holders to annually inform all persons to whom information pertained that it had been passed to a third party. In other words, every adult in California.

The PIIA actually passed out of the Assembly when an exception was made for companies sharing information with their subsidiaries. As the bill's manager, I remember facing a roomful of business lobbyists to argue for Assembly passage of the PIIA -- and was surprised when I succeeded! I later heard from one of the lobbyists that most of them were sympathetic, concerned mainly for their own privacy, worried what might happen if their shenanigans ever made it onto the front-page news. Good thinking.

The PIIA was defeated in the Senate, however, when the late Sen. Ed Davis, the former embattled LAPD chief, stood to speak against the bill in behalf of the bumptious TRW, then in the credit checking business. Ironically, TRW has exited that line of business. And Davis has passed away, his corrupt obstructionism absent from the scene, leaving it to the next generation of legislators to set things right in California.

Had the PIIA been enacted in 1986, identity theft as we know it today might never have gotten started. And people's lives wouldn't have become the stuff of fat portfolios shared for a price among direct marketers, bondsmen, prospective employers, loan managers, financial extortionists, and just about everyone else who shouldn't automatically get to know everything about everyone.

Why is it a waste of money? The companies are obviously making money collecting the data. It's not unreasonable to ask them to spend some money formatting it for and supplying it to the source of their income, their users. It's a cost of doing business. If it costs more than they can earn by collecting the data then they can stop collecting it and find a new business model. Anyway, the only reason Facebook had to work so hard to collect Schrems's data, if in fact it did have to work hard, is because they don't have built-in functionality to produce a record of the data. If something like this law passes, they can build collection and delivery into their software stack easily enough.

Let me tell you something:

You are the cause of all inefficiencies in the government. You, personally.

"It doesn't cost that much." ORLY?

Okay, let's be clear. Let's take something like, say, Google search. What exactly data do they collect? My guess? At a minimum:

What you search for.Which links you click on.How many pages of data you go through for any particular search.What kind of searches you go through (video, picture, shopping, ect.)Which ads you click on.What time of day you searched for what you're looking for.What day of the week you searched for what you're looking for.How long you spend on the search page.What you searched for next.

That's a lot of stuff. That's a -lot- of stuff. And if you search, say, 10 times a day, for a year, that is 3,650 queries just based on your searches alone. And a lot of this data is not going to be stored like this, but rather compressed into big datasets which are read by computers, not by people - storing it in human-readable form is inefficient.

And that's just searching, let alone, say, anything else you might be up to on their website that they might want to track - what sort of queries you make on Google Earth, what features you click on or ignore, what sort of destination data you are asking for, what location you are searching for when you type in a string, the list goes on.

And EVERY TIME that they track anything additional - anything at all - they have to then update not only their database, but your own super special file, because creating the file after the fact is practically impossible because there is all sorts of data that they're going to be storing away in various places and its difficult for them to recover all of it after the fact as a lot of it IS going into databases and the like rather than being stored as specifically yours, even though you "donated" to said database.

This costs:

Storage spaceTimeEffortEndless lawsuits as "is that really all of my data"?

It makes it easy to make a mistake and not include data.

People like you are bad for society. Period. There are no exceptions.

"I want the government to be accountable!" So what ends up happening is that they have four audits per year, each taking a week, meaning that instead of getting 52 weeks of work out of said agencies, you get 48 weeks of work. Except wait, they have to spend a week prepping for the audits. 44 weeks. Given that they need vacation time and sick leave, you really only are looking at 49 weeks a year in the first place, so really the actual reduction is to 41 weeks. Congrats, you have now cut government efficiency by 16%. "Why is the government so inefficient!" Gee I wonder.

There's a limit on how much regulation is a good thing. This is an example of bad regulation because it makes people do a whole lot of work for zero gain. "But I am an insane moron, I have the right to this!" No, you really, really, really, really don't. If you don't like it, don't do business with Google or Facebook. "But I have to!!!!" Really? You HAVE to? Then sure, you can pay them fourty dollars a year or whatever to avoid being put in their databases or tracked beyond the most basic data.

The cost is an undue burden. Period.

EDIT: Also, if anyone ever gets unauthorized access to all this data neatly put together for you which describes everything you've ever done on Google, you're hosed. And you, in your infinite stupidity, will blame Google and not your own insane insistence that Google prepare these materials for you.

Typically California laws trigger a "what were they thinking?" reaction, so I will wait to see the legalese version as finalised (assuming it becomes law).

To those saying this could become cost prohibitive to implement, if a company is keeping data and can't tie this to an account and present this to the customer has no business keeping personally identifiable data. I can however see this happening if things like the sequence of pages visited each session needs to be saved and presented (e.g. the photos you visited during a facebook session).

So it comes back to being a great idea in theory, and the first step along what privacy advocates see as a productive path (next step being able to force companies to delete your data entirely). It will however depend on the wording, as is the case with any law.

You are the cause of all inefficiencies in the government. You, personally.

"It doesn't cost that much." ORLY?

Okay, let's be clear. Let's take something like, say, Google search. What exactly data do they collect? My guess? At a minimum:

What you search for.Which links you click on.How many pages of data you go through for any particular search.What kind of searches you go through (video, picture, shopping, ect.)Which ads you click on.What time of day you searched for what you're looking for.What day of the week you searched for what you're looking for.How long you spend on the search page.What you searched for next.

That's a lot of stuff. That's a -lot- of stuff. And if you search, say, 10 times a day, for a year, that is 3,650 queries just based on your searches alone. And a lot of this data is not going to be stored like this, but rather compressed into big datasets which are read by computers, not by people - storing it in human-readable form is inefficient.

And that's just searching, let alone, say, anything else you might be up to on their website that they might want to track - what sort of queries you make on Google Earth, what features you click on or ignore, what sort of destination data you are asking for, what location you are searching for when you type in a string, the list goes on.

And EVERY TIME that they track anything additional - anything at all - they have to then update not only their database, but your own super special file, because creating the file after the fact is practically impossible because there is all sorts of data that they're going to be storing away in various places and its difficult for them to recover all of it after the fact as a lot of it IS going into databases and the like rather than being stored as specifically yours, even though you "donated" to said database.

This costs:

Storage spaceTimeEffortEndless lawsuits as "is that really all of my data"?

It makes it easy to make a mistake and not include data.

People like you are bad for society. Period. There are no exceptions.

"I want the government to be accountable!" So what ends up happening is that they have four audits per year, each taking a week, meaning that instead of getting 52 weeks of work out of said agencies, you get 48 weeks of work. Except wait, they have to spend a week prepping for the audits. 44 weeks. Given that they need vacation time and sick leave, you really only are looking at 49 weeks a year in the first place, so really the actual reduction is to 41 weeks. Congrats, you have now cut government efficiency by 16%. "Why is the government so inefficient!" Gee I wonder.

There's a limit on how much regulation is a good thing. This is an example of bad regulation because it makes people do a whole lot of work for zero gain. "But I am an insane moron, I have the right to this!" No, you really, really, really, really don't. If you don't like it, don't do business with Google or Facebook. "But I have to!!!!" Really? You HAVE to? Then sure, you can pay them fourty dollars a year or whatever to avoid being put in their databases or tracked beyond the most basic data.

The cost is an undue burden. Period.

EDIT: Also, if anyone ever gets unauthorized access to all this data neatly put together for you which describes everything you've ever done on Google, you're hosed. And you, in your infinite stupidity, will blame Google and not your own insane insistence that Google prepare these materials for you.

U MAD, BRO?

They've had this law in Europe for a while now, and yet their economy hasn't collapsed. Probably California's won't either.

If a company uses data about me to make profits (or potential profits), they should be expected to provide it back to me on request. After all, I was willing to create the data and give it to them either directly or through my actions, and they're looking to profit in some way from it, so what justification can there be not to provide it back to me?

Data is a resource, and companies have been getting free access to that resource for a long time.

Companies are increasingly having to pay for what they do. They can't just use free resources and dump waste. They have to pay for externalities. It's not an undue burden, it's merely a cost of doing business.

As always you have it exactly the wrong way around. Businesses have to follow the law in countries they want to do business in and - except in the US, sadly - businesses shouldn't be the ones who exactly decide what is passed as a law and what is not.

So if people of some legislature think that it is in their best interest to have some accountability over what private data of them is stored, processed and used, google/facebook/whoever either obey these rules or decide to stop doing business in that region. Considering that neither facebook nor google or anybody else has decided to stop doing business in the largest economy world wide despite this rule, it seems they can handle it.

Now to the pseudo-technical part of the post:

Titanium Dragon wrote:

And a lot of this data is not going to be stored like this, but rather compressed into big datasets which are read by computers, not by people - storing it in human-readable form is inefficient.

So what you're saying is basically that while google stores all this data, they have no way to actual query or process it? Did you actually think about this for a second before posting? Google only stores data that it needs or can use for its purposes, which also means they can process it. Neither this law nor the EU law demands that google stores additional data.

Sure they'll have to write the queries to actually format the data in a useful human-readable way, which incurs some cost, but certainly not technically infeasible. All the documentation for this stuff exists anyhow, or do you think that nobody has documented what those row keys in a BigTable db mean?

They've had this law in Europe for a while now, and yet their economy hasn't collapsed. Probably California's won't either.

And yet somehow all of the biggest, best, and most important internet companies are American, with a few exceptions over in China and Japan.

I WONDER WHY THAT COULD BE.

Could it be that European laws are terrible, and people would prefer to create their companies in the US?

Hm...

Voo42 wrote:

So what you're saying is basically that while google stores all this data, they have no way to actual query or process it? Did you actually think about this for a second before posting? Google only stores data that it needs or can use for its purposes, which also means they can process it. Neither this law nor the EU law demands that google stores additional data.

Wrong. Wrong wrong wrong wrong wrong.

Oh god that is so wrong.

They have a way of querying or processing it, but they query and process it according to THEIR needs. They probably don't care what you, personally, do in many cases, but they do care in a general sense in order to improve their algorithms. A lot of the data probably gets folded into other datasets in databases in a way that it is not designed to be retrievable because they're more interested in people from Australia clicking the third link when searching for penguins instead of the first plink; that you, personally, did so may well not be linked to that data at all, or only be linked in a way that is very difficult to ferret out because the data isn't actually designed for that purpose - the data is designed to help them improve their search function rather than to track every move you make.

So yeah, your data got mixed in with a whole bunch of other data, but it may no longer be (easily) identifiable as your data, and there may be no way to actually find it again for you - or at least no easy way, because the system isn't designed for doing that, its designed for another purpose entirely.

That means if I'm ever processing your data in some way that is going to anonymize it or make it more difficult for me to track the origin of, I'm going to need an extra copy of it because fishing it out of the database is somewhere between "difficult" and "nightmarish". It may be possible in principle, but it would be difficult to be certain you got everything, and some of it may get severed off and not be trackable at all.

If I was running a website, I wouldn't really necessarily want to track everything, but I would probably track how many people click on which articles, and where they go from there. That data may or may not be easily tracked back to you, but if someone asks me for every bit of data I have ever gathered on you, what am I going to say? "I have no idea, that's not how I use my data". But now I'm legally compelled to do so because some retards in California (home of a broken tax and prison system) thought it was a good idea.

As someone running a website, I may track you, but the degree to which I am actually tracking -you- varies by what I am doing, because only some of that data is even useful to link in to you - some of it is just generic traffic data I'm getting from you. But I did collect the data from you.

This is an example of why people are morons. They don't really understand anything, but they think they understand everything.

If it was easy, the companies wouldn't particularly care. But if you look at the whole facebook thing, its obvious that they don't actaully store the data that way.

If anything, it is likely to compromise your privacy because they'll have to link EVERYTHING to your name wherever possible. Do you really want that?

Quote:

As always you have it exactly the wrong way around. Businesses have to follow the law in countries they want to do business in and - except in the US, sadly - businesses shouldn't be the ones who exactly decide what is passed as a law and what is not.

Morons shouldn't be able to vote or pass laws. Its that simple.

Its not wrong for a business to point out that something is going to be a lot more trouble than it is worth, or fight something which puts an undue burden on them because crazy people think that big brother is out to get them.

Bad laws are bad laws, and the fact that you are saying that business interests shouldn't be able to speak up proves that you are both stupid and evil. Why should YOU get to speak up? Everyone should have a voice.

If politicians were competent, they would actually listen to only smart people. But they aren't, because they're elected by the same morons who think that organic food is good for you or the environment, and there are a lot more idiots in the world than intelligent people.